Unanswered Question
Nov 6th, 2008
User Badges:

I've setup a VTI on two 2821 routers which both have ZFW deployed on them. Without ZFW on the VTI works between the two routers and all traffic passes freely. When I turn on ZFW (basic FW using the wizard) no traffic flows over the VTI. The VTI is up but I cannot ping across it and/or run OSPF. So, the questions I have are:

• Do I need to create a zone pair (along with the appropriate class-map and policy-map) between the internal interface and the tunnel interface and vice versa?

• Do I need to create a zone pair between the outside interface and some internal interface?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
mocah Fri, 11/14/2008 - 05:57
User Badges:

Can you post config from your router?

torchris Sun, 11/23/2008 - 13:49
User Badges:

If the internal interface and the tunnel interface are on the same zone, all the traffic is permitted between them.

Then you need to create a Zone-pair between the different interfaces of the router because if there are no zone-pair between them the traffic will fail.

I hope it helps.

mocah Fri, 06/12/2009 - 06:12
User Badges:

I have same problem as bardellom. Tunnel is up, ISAKMP is established but traffic can not reach the other end. Tunnels are in the same sec. zone as LAN.

Do I need to create Zone-pair between self zone and LAN security zone?

torchris Fri, 06/12/2009 - 06:52
User Badges:


The thing is the following.

By default, the self zone is created once you create a zone.

In order to permit a L2L tunnel to be establish to the router, you will need something like this.

ip access-list ext Tunnel

permit udp any any eq 500

permit udp any any eq 4500

permit esp any any

class-map type inspect match-all VPN

match access-group name Tunnel

policy-map type inspect 2self

class VPN


From the self zone to the out-zone don't, do any zone-pairs, and everything will be implicitly permitted.

For the VTI lines, please do the same but for the SSH and telnet ports.

If you have any questions, please let me know.

Chris - TAC Security Engineer

mocah Fri, 06/12/2009 - 10:06
User Badges:

Hello torchris,

First I would like to thank you :)

I have following config on both routers:

ip access-list extended VPN

permit esp any any

permit udp any any eq isakmp

permit ahp any any

permit udp any any eq non500-isakmp

class-map type inspect match-all ipsec-cmap

match access-group name VPN

policy-map type inspect Internet2Self-pmap

class type inspect ipsec-cmap


class type inspect ssh-cmap


class type inspect icmp-cmap


class class-default


zone-pair security Internet2Self source Internet destination self

service-policy type inspect Internet2Self-pmap

zone-pair security Self2Internet source self destination Internet

service-policy type inspect Internet2Self-pmap

ISAKMP and IPsec tunel are established, only firewall is blocking traffic. This is message from log file:

# %FW-6-DROP_PKT: Dropping Unknown-l4 session xxx.xxx.xxx.84:0 xxx.xxx.xxx.33:0 on zone-pair Internet2Self class class-default due to

# DROP action found in policy-map with ip ident 0

And when I am trying to ping from one tunnel interface to another:

# %FW-6-DROP_PKT: Dropping icmp session due to policy match failure with ip ident 0


torchris Fri, 06/12/2009 - 10:36
User Badges:

Thanks for the reply.

The problem that you are having is the action on the policy.

Instead of inspect, it should be pass.

The reason for this is that the firewall uses the payload of the packet to inspect the traffic. The thing is that in ESP, the payload is encrypted.

Also, I checked that the ICMP traffic is being dropped.

You can do the following to permit ICMP:

class-map type inspect match-all ICMP2Self

match protocol icmp

policy-map type inspect 2self

class ICMP2Self


That should solve it for the ICMP and ESP traffic.

mocah Fri, 06/12/2009 - 11:43
User Badges:

Thank you it is working :)

One more question.You mentioned:

class-map type inspect match-all ICMP2Self

match protocol icmp

Is icmp traffic also encrypted if I send it from LAN on router 1 to LAN on router 2?

Kind regards, Marko

torchris Fri, 06/12/2009 - 12:14
User Badges:

Yes, the thing is the following.

If the traffic is from AN on router 1 to LAN on router 2 the flow will be different and the self zone will not participate.

If you try to ping the LAN interface of the router, the packet will get to the router and it will be decrypted, then send to the LAN interface and then through the VPN tunnel.

That means that when the packet gets to the LAN interface it is decrypted.

I hope it helps.


This Discussion